Comment by appease7727
3 days ago
That's literally what VPNs are for.
If you aren't aware: a Virtual Private Network creates a fully encrypted link between you and a remote node. So long as your encryption keys are secure, there's no way for anyone (even a global superpower) to listen to or intrude on that connection. There is no possible way to break into this connection, even with the entire planet's computing resources.
From the outside, all you can see is a stream of encrypted data between two nodes. You cannot tell where the traffic goes once it exits the VPN server or what it contains.
The only way to compromise a VPN connection is the most straightforward and pedestrian: compromise the VPN host and directly spy on their clients with their own hardware.
The GFW certainly can and has detected such encrypted streams and blocked them for being un-inspectable. With a VPN you can perfectly hide what you're doing and you can perfectly prevent intrusion. You cannot prevent someone noticing you're using a VPN. China can simply blanket ban connections that look like VPN traffic. But they cannot tell what you're doing with that VPN.
Thanks for the reply. In order to connect to the VPN, your first call must be over https, from China, to the VPN. How does that circumvent the phenomenon in the article, where a nation state was injecting TCP to cause your connection to hang up, thus no VPN connection?
VPN doesn't need HTTPS nor does it need TCP
You do not establish a VPN connection in the clear. You must give your client the encryption key before connecting. All transactions are fully encrypted from the beginning.
Besides that, when negotiating a secure connection through unencrypted channels you typically use Diffe-Hillman to establish the encryption keys. As far as I'm aware, this method cannot be broken. Both nodes compute their own private encryption key and do math to create unencrypted data that must be verified by the other node's key. Even if you had full control of the data stream, you can't determine those private keys and cannot break into the encrypted connection that follows.
Also VPNs are typically UDP, but there's no hard requirement as far as I know.
Awesome thanks for all of that. Then it sounds like the only way a nation state could block VPNs is if they decided to "go nuclear" and do what the person above said-- block anyone who they detect is using a VPN/encrypted channel.
Based on that information, the theory for why a nation state would block https like this for a moment is either an accident, or to only block the low hanging fruit of people who don't use a VPN.